Do anybody knows where I could get the PGP keys to verify the integrity of the source code I downloaded from a mirror?
Thanks
-Jorge
On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote:
Do anybody knows where I could get the PGP keys to verify the integrity of the source code I downloaded from a mirror?
PGP is not used to sign releases or release announcements.
To verify the integrity of a tarball download from ftp.openldap.org or a mirror, you can check it against the SSHA1 and/or MD5 hashes published as part of the announcement for the release (posted to openldap-announce@openldap.org , archived in that list's archives).
Hash verification is not intended to detect instances where openldap.org hosted services have been hijacked or otherwise seriously compromised.
-- Kurt
On Wed, Jul 30, 2008 at 06:16:20PM +0100, Kurt Zeilenga wrote:
On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote:
Do anybody knows where I could get the PGP keys to verify the integrity of the source code I downloaded from a mirror?
PGP is not used to sign releases or release announcements.
To verify the integrity of a tarball download from ftp.openldap.org or a mirror, you can check it against the SSHA1 and/or MD5 hashes published as part of the announcement for the release (posted to openldap-announce@openldap.org , archived in that list's archives).
Hash verification is not intended to detect instances where openldap.org hosted services have been hijacked or otherwise seriously compromised.
However only offering the option to verify the hashes using unsigned emails or non-https publications on a web site is offering up many more attack vectors.
PGP-signing the hashes would solve this problem and is bog standard practice in many (most?) projects and I would like to see it offered by OpenLDAP.
Cheers, Dominic.
Dominic Hargreaves wrote:
On Wed, Jul 30, 2008 at 06:16:20PM +0100, Kurt Zeilenga wrote:
On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote:
Do anybody knows where I could get the PGP keys to verify the integrity of the source code I downloaded from a mirror?
PGP is not used to sign releases or release announcements.
To verify the integrity of a tarball download from ftp.openldap.org or a mirror, you can check it against the SSHA1 and/or MD5 hashes published as part of the announcement for the release (posted to openldap-announce@openldap.org , archived in that list's archives).
Hash verification is not intended to detect instances where openldap.org hosted services have been hijacked or otherwise seriously compromised.
However only offering the option to verify the hashes using unsigned emails or non-https publications on a web site is offering up many more attack vectors.
PGP-signing the hashes would solve this problem and is bog standard practice in many (most?) projects and I would like to see it offered by OpenLDAP.
I'd support the approach with digitally signing the source tar.gz files. I'm doing it for years when releasing web2ldap source packages. It's just part of a simple script. Therefore I've filed ITS#5639 for that.
Ciao, Michael.
openldap-software@openldap.org
-
Dominic Hargreaves -
Jorge Medina -
Kurt Zeilenga -
Michael Ströder